|
|
| This
month we have a very interesting article 'Convenient, Useful and
Insecure – Wireless Enablement ' by Jason Conyard, Symantec's
Director, Wireless Product Management. Jason has spent many years
researching wireless security issues and the solutions and has
an in depth understanding of issues in this area.
Symantec Security Response
is making it's Security Alerts available to other web sites, to
include these alerts on your web site go to the following page
to configure a script that you can copy and paste directly into
your own html page.
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi
On May 1, 2003, revised
standards for use of the EICAR test file will go into effect.
The test file is not mailcious and does not replicate, it is often
used to test anti-virus installations. The first 68 characters
will be the string to scan for in the file. It may be appended
by any combination of white space characters with the total file
length not exceeding 128 characters. The only white space characters
allowed are the space character, tab, LF, CR, CTRL-Z.
The EICAR web site will
be updated with the new standard on May 1st.
http://www.eicar.org/
I expect it will be
a while before all anti-virus products enable detection for the
new standard, there is no cause for alarm if a particular product
does not detect the new test file(s).
The May edition of the
newsletter will contain a link to a web based questionnaire about
this publication. There are only 10-12 questions and I would encourage
you to spend 5 minutes to participate so that we can ensure future
editions of the Symantec Security Response Newsletter continue
to be relevant and of interest to you.
Best
Regards
David Banes.
Editor, Symantec Security Response Newletter. |
| Useful
Links |
Microsoft Windows 2000 WebDAV / ntdll.dll Buffer Overflow
Vulnerability
http://securityresponse.symantec.com/avcenter/security/Content/3.17.2003.html
All versions of Windows
2000, except Japanese NEC patch.
Windows
2000 Japanese NECE version patch.
|
| Viruses,
Worms & Trojans |
| Trojan.Linux.JBellz |
| Aliases:
|
| Risk:
Low [1] |
|
|
| Date:
January 14th 2003 |
|
|
Platforms
Affected:
Windows 3.x, Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me, Microsoft
IIS, Macintosh, OS/2, UNIX. |
| |
Overview
The Trojan.Linux.JBellz
Trojan horse arrives as a malformed .mp3 file. When
the .mp3 file is played with a specific version of
the mpg123 player under Linux, the code of the Trojan
horse is executed; thereby, deleting all the files
in the home directory of the current user.
|
| |
|
|
|
References
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.jbellz.html
|
| |
W32.Hawawi.Worm |
| Aliases:
|
| Risk:Low
[2] |
|
|
| Date:
March
19th 2003 |
|
|
Platforms
Affected
Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
|
| |
Overview
W32.Hawawi.Worm
is a worm that spreads through email using its own
SMTP server, ICQ, Yahoo Messenger, PalTalk, and
KaZaA. The email message has one of many different
Subject lines, such as:
- '''*< Love
Speaks it all >*'''
- Co0o0o0o0oL
- Fw:
- Heeeeeeeeeeeeeeeey
- Wussaaaaaaaap?
- WoW But not for
NoW
The messages have an
attachment with a .pif extension, usually Hawawi.pif.
W32.Hawawi.Worm has a payload of overwriting all the
files that have the following extensions, with zero-byte
files: mpeg, rm, wav, sql, mde, php, cpp, swf, ram,
mp3, frm, dpr, rar, mpg, jpg, pdf, pps, ppt, txt,
htm, html, zip, doc, mdb, xls. |
| |
|
|
|
References
http://securityresponse.symantec.com/avcenter/venc/data/w32.hawawi.worm.html |
| |
Credit
by: Douglas Knowles |
|
|
|
| Security
Advisories |
|
Snort TCP Packet Reassembly Integer Overflow
Vulnerability |
| Risk:High |
| Date:15th
April 2003 |
Platforms
Affected
Conectiva
Linux 8.0
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc3
|
| Components
Affected
SmoothWall SmoothWall 2.0 beta
4
Snort Project Snort 1.8 - 1.8.7
Snort Project Snort 1.9 - 1.9.1
|
| |
Description
A vulnerability has been discovered in Snort.
The problem occurs during the reassembly of TCP packets
by the stream4 preprocesser. By sending specially
crafted fragmented packets across a network monitored
by Snort, it may be possible to trigger an integer
overflow. As a result, a buffer overflow may occur,
effectively allowing a remote attacker to corrupt
heap memory.
Successful exploitation of this issue could allow
a remote attacker to execute arbitrary code on a target
system.
This issue effects Snort releases prior to Snort 2.0
RC1.
|
| |
Recommendations
Run all server processes as non-privileged users
with minimal access rights.
Configure Snort to run with the least privileges necessary
whenever possible. This may limit the consequences
of an attacker executing arbitrary code on a target
system.
Implement multiple redundant layers of security.
The exploitability of this issue to execute arbitrary
code may be hindered through the use of various memory
protection schemes. Where permissible, implement the
use of non-executable and randomly mapped memory pages.
Implement multiple redundant layers of security.
Where possible, implement multiple layers of network
security. This may limit the consequences of a network
sensor or firewall from being made unavailable.
While NetBSD does not include Snort by default, Snort
is available through pkgsrc. NetBSD users who have
installed Snort packages should use pkgsrc/security/audit-packages
to apply upgrades.
This issue is addressed in Snort 2.0. Users are advised
to upgrade.
|
References
Source:
CERT CA-2003-13 Multiple Vulnerabilities in Snort
Preprocessors
URL: http://online.securityfocus.com/advisories/5302
Source: CORE CORE-2003-0307 Snort TCP Stream Reassembly
Integer Overflow Vulnerability
URL: http://online.securityfocus.com/advisories/5294
Source: Bug 2.0b4-mallard 005
URL: http://smoothwall.org/beta/bugs/mallard-006.html
Source: Snort Homepage
URL: http://www.snort.org/
|
Credits
Discovery of this issue is credited to Bruce Leidl,
Juan Pablo Martinez Kuhn and Alejandro David Weil
from Core Security Technologies. |
| |
|
|
| Security News
|
Convenient,
Useful and Insecure – Wireless Enablement |
|
| by
Jason R. Conyard, Director, Wireless Product Management.
Last
months announcement from Intel regarding their investment
into 802.11 is just the latest press release in what has
become one of hottest technologies to be seen, and more
importantly adopted, for some time.
Handheld
(PDAs) have become common both at home and increasingly
in the office. With devices of just about every conceivable
size, shape, function and price available, it appears these
once high-end gadgets are here to stay. As people become
more comfortable with creating, storing and sharing information
on handhelds their value and dependability increases in
importance. Being able to maintain the integrity of the
device, its data and the access it potentially has to other
systems becomes critical.
It
is estimated that in 2002 alone more then 25 million wireless
LAN, 802.11, chipsets where sold(1),
this is despite significant publicity about inherent weaknesses
in the standards security. Even when basic methods are
available to secure wireless LANs, they are rarely employed,
often leaving the wireless network available to anyone and
everyone.
Bluetooth,
the Personal Area Networking (PAN), radio technology allowing
desktop wires to be replaced with wireless connections is
finally seeing adoption. In fact Bluetooth chip sales
of an estimated 35 million out pacing those of 802.11 for
2002 (2), which likely
indicates a significant increase in embedded connectivity
in consumer electronics in mid-2003.
The
convergence of mobile computing with wireless communication
is providing opportunities that have for the longest time
been the sole domain of science fiction. They also present
significant security challenges to both individuals and
organizations. There has been much debate about security
threats to ‘wireless’ and there are, as noted above, certainly
reasons to pause before jumping in with both feet and committing
financially. It is, however, extremely important to remember
that the largest area of concern continues to come from
the traditional wired infrastructure.
Whether
for a home PC or a global IT enterprise, servers, gateway
and desktops need to be maintained and updated to run the
latest patches and security solutions. Firewall and antivirus
software should run their latest definitions to ensure maximum
protection.
This
is not to suggest that Wireless LANs cannot be deployed
or that handhelds should not be used, but before they are
a total view must be given to how these technologies will
be used, what systems they will interact with, what risks
exist and how they will be secured.
(1)
Source: Gartner.
(2) Source: IN-Stat/MDR. |
| |
|
| |
Contacts
and Subscriptions:
Follow
this
link
to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html
Send
virus samples to: avsubmit@symantec.com |
|
Symantec, the Symantec logo, [registered trademarks in alphabetical
order] are U.S. registered trademarks of Symantec Corporation.
[Common law trademarks in alphabetical order] are trademarks of
Symantec Corporation.
Windows,
Windows NT, and the Windows logo are registered trademarks of
Microsoft Corporation in the United States and other countries.
All other brand and product names are trademarks of their respective
holder(s).
Copyright
© 2003 Symantec Corporation. All rights reserved. Printed
in Australia.March 2003. |
|